CORS Problem

[luvvvdev]

My encore.app config:
{ "id": "", "lang": "typescript", "global_cors": { "debug": true, "allow_origins_without_credentials": ["http://localhost:3000"], "allow_origins_with_credentials": ["http://localhost:3000"], "allow_headers": ["*"] } }

Steps to reproduce:

1. Create a new TypeScript application
2. Add an endpoint
3. Send a request to it from a web client

Expectation:
Request from web application will be executed without errors

Reality:
Access to XMLHttpRequest at 'http://localhost:4000/auth.login' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

[eandre]

How are you running it? With encore run, or with encore eject, or something else?

[jeremyrx7]

I have the same problem. I have added all the CORS related headers but it doesn't work for some reason.

"global_cors": {
    "debug": true,
    "allow_headers": ["*"],
    "expose_headers": ["*"],
    "allow_origins_without_credentials": ["*"],
    "allow_origins_with_credentials": ["*"]
  }

I have a Go encore app and using TS generated client. It doesn't work on normal fetch as well.

It is working fine on from localhost:8080 (FE) -> localhost:4000(BE) but for some reason it doesn't work when you get the deployed URL.

cc @eandre

[eandre]

allow_origins_with_credentials doesn't support the wildcard match * because that's a security vulnerability in most cases. If you really need this you can use the value ["UNSAFE_ALL_ORIGINS_WITH_CREDENTIALS"], but as the name suggests it’s unsafe unless you know what you’re doing.

[fredr]

@luvvvdev would you mind testing with the latest version of encore?
Update with: encore version update

We've made some cors fixes that might relate to your problem, depending on where you see them? (is it via encore run, encore docker build or how are you running encore?)